SecurityEssentials2010

I have got a client PC that has got SecurityEssentials2010 on it.
It won't start (it will but I can't do anything) in normal mode, so I have to start Windows in Safe Mode.
It managed to disable Windows Installer, but I managed to get it back.
I installed SBAM (the Full Scan found nothing!), MBytes (which I can't run because there is no Run button! - malware or maybe SM screen too big?!)
I haven't tried running the others yet!
I also can't get the Internet, which is a good thing, sort of!
Is it worth trying to sort this mess out, or just reinstall everything?

I did manage to run AVG from the Command Line, the results of which are attached.

 

You will need to transfer these over to the infected machine.

Welcome to MajorGeeks!

If any of the scans will not run or download move on to the next one and let me know what happened like if there were any errors or if they just wouldn't download or run.

Try not to restart the computer until one of the tools we use does it for you or tells you to.

If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the next one.

Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Do not reboot your computer after running rkill as the malware programs will start again.

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.

Using Malwarebytes Anti-Malware

1. If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps. The code 2 error will look similar to the image below.
   
   
   
   http://www.bleepstatic.com/swr-guides/mbam/code-2-error.jpg
   ​
2. As this infection deletes a core executable of Malwarebytes', or does not allow it to run, we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:
   
   
   Malwarebytes' EXE Download​
   When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
3. Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 1. MBAM will now start and you will be at the main program screen.

Next get the logs from MGtools.

Using MGtools

Logs needed:

• Rkill
• Malwarebytes
• MGlogs

 

Every time I try to run any of them, it says 'Application cannot be executed. The file is infected. Please install antivirus software'!

 

Can you burn a CD?

Avira AntiVir Rescue System

1. Download the Avira AntiVir Rescue System
- If you need a free burning application, CDBurnerXP works on all operating systems from Microsoft Windows 2000 SP4 onwards.
2. Place a blank CD in your burner and double-click on the downloaded file.
3. The program will automatically burn the CD for you.
4. Place the burned CD into the affected computer and start the computer with the CD in the CD tray.
5. On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
6. Click on the Configuration button.

- Select Scan all files
- Select Try to repair infected files and Rename files, if they cannot be removed
- Select Scan for dialers
- Select Scan for joke programs (Jokes)
- Select Scan for games
- Select Scan for spyware (SPR)

7. Click on Virus scanner
8. Click on Start scanner at the bottom of the screen.

9. Let Avira finish it's scan and then remove any threats found and then exit out of the scanner.
10. Take the CD out of the CD/DVD tray and then restart the computer.

If needed see this Tutorial for the Avira Rescue CD

 

I finally managed to do it!
I had to do Hijack This! out of cycle as that was the only thing I could think of to do get things to run!

After I ran SBAM (strangely, it found something after I told it to look for tracking cookies! (smss.exe).
After I did that, I couldn't get into Safe Mode, it kept logging off a second after I logged on!, so I looked on the web and followed the Microsoft procedure 'Recover a corrupted registry that prevents Windows XP from starting'.

However, I could find his documents, but bizarrely not his music, so I had to use 'Recuva' software.
Anyway, here are the logs.

(Bear in mind I didn't have an internet connection)

 

Do you have an Internet connection now?

Also stop trying to recover files. They are very likely infected so you are just re-infection yourself.

 

He connects via a USB modem!, so I can't check!

You've got a point there! What shall I do about his music then?

 

You either can or can not connect to the Internet. Yes or no?

If no then why and what happens when you try?

Which one is more important. Recovering the computer or the music? Let's get it cleaned of malware and then worry about other things.

 

Yes he can!

Recovering the computer is more important

 

Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.

 

Here is the result of the MBAM scan, and attached are MGLogs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4117

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

19/05/2010 16:22:17
mbam-log-2010-05-19 (16-22-17).txt

Scan type: Quick scan
Objects scanned: 186566
Time elapsed: 28 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator.SHELTON.001\Local Settings\Temp\~DFFD36.tmp (Malware.Packer.Gen) -> Delete on reboot.

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

After clicking Fix checked, exit HijackThis.



If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Attach the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix



Use the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

* Click on SCAN NOW
* Click Accept.
* The program will then begin downloading the latest definition files.
* Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
* The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is completewindow, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
* Next, in the Save as prompt, Save in area, select: desktop.
* In the File name area use KScan, or something similar.
* In Save as type: click the drop arrow and select: Text file [*.txt]
* Then, click: Save

http://img196.imageshack.us/img196/840/kassavetxt.gif

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

If needed, this animation will guide you through the process.


Next post please add the ComboFix and Kaspersky logs.

Also let me know how the computer is running now.

 

Here is the ComboFix log; I can't do the Kaspersky Online Scanner, because it is not available at the moment! So I am going to scan with Housecall from Trend Micro.

The computer is a little slow, even for an Intel Pentium III with 512MB RAM!

 

Here is the Panda ActiveScan log (I ran HouseCall as well which found nothing!)

 

In the Panda log under the VULNERABILITIES section. Those are all missing Windows Updates.

How is the computer running now?

 

I ran scans last night to make sure it was clean; no infected objects!

The computer is running fine now; I think the software that made it better was mostly ComboFix!

Thankyou.

Now, the same client is bringing me another malware-riddled computer for me to have a look at - computers I look at infected with malware have doubled!

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!